Re: Disable executing external commands from psql?

From: Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>
To: Ken Tanzer <ken(dot)tanzer(at)gmail(dot)com>
Cc: pgsql-general(at)postgresql(dot)org
Subject: Re: Disable executing external commands from psql?
Date: 2010-06-01 23:55:31
Message-ID: 11514.1275436531@sss.pgh.pa.us
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-general

Ken Tanzer <ken(dot)tanzer(at)gmail(dot)com> writes:
> Hi. I'm wondering if it is possible to disable use of \! to execute
> commands in psql? I see this has come up on the list before
> (http://archives.postgresql.org/pgsql-admin/2007-07/msg00242.php) but I
> don't see anyone saying whether it is possible or not, just that it's a
> bad or useless idea.

Yes, it seems pretty useless.

> It may or may not be a bad idea (e.g., carry some risk). My scenario is
> that I'd like to give people that I don't necessarily know (or therefore
> trust) the ability to run psql for a database I've already set up for
> them. I set their login shell to psql, so they can simply ssh in, and
> they are in psql. From there, though, they can do a simple \!
> /bin/bash, and they've got way more access than I want them to.

> So is there any way to disable the "\!" stuff? If there's a better way
> to go about this, I suppose I'm all ears too!

The better way to go about that is to not let them have an account on
the server machine in the first place. Just expose the postmaster port
(perhaps via ssh tunneling) and let them run psql on their own machines.

regards, tom lane

In response to

Responses

Browse pgsql-general by date

  From Date Subject
Next Message Bruce Momjian 2010-06-01 23:57:39 Re: Disable executing external commands from psql?
Previous Message Ken Tanzer 2010-06-01 23:45:52 Disable executing external commands from psql?